AZ-700: Designing and Implementing Microsoft Azure Networking Solutions Part 7
Question #: 81
Topic #: 2
You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name registered in the contoso.com zone.
Vnet1 connects to an on-premises datacenter by using ExpressRoute.
You need to ensure that on-premises DNS servers can resolve the names in the contoso.com zone.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Modify the DNS server settings of Vnet1.
B. For FW1, configure custom DNS server.
C. For FW1, enable DNS proxy.
D. On the on-premises DNS servers, configure forwarders that point to the frontend IP address of FW1.
E. On the on-premises DNS servers, configure forwarders that point to the Azure provided DNS service at 168.63.129.16.
Selected Answer: CD
Question #: 82
Topic #: 1
HOTSPOT
–
Your on-premises network contains a VPN device.
You have an Azure subscription that contains a virtual network and a virtual network gateway.
You need to create a Site-to-Site VPN connection that has a custom cryptographic policy.
How should you complete the PowerShell script? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 83
Topic #: 5
SIMULATION
–
Username and password
–
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
–
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
–
You need to ensure that connections to the storage12345678 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name storage12345678.privatelink.blob.core.windows.net.
To complete this task, sign in to the Azure portal.
Suggestion Answer:
Question #: 84
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 85
Topic #: 2
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. internal load balancers
B. storage account
C. Azure Virtual Networks NAT
D. service endpoint policies
Selected Answer: A
Question #: 86
Topic #: 3
You have an Azure subscription that contains the public IPv4 addresses shown in the following table.
You plan to create a load balancer named LB1 that will have the following settings:
✑ Name: LB1
✑ Location: West US
✑ Type: Public
✑ SKU: Standard
Which public IPv4 addresses can be used by LB1?
A. IP1, IP3, IP4, and IP5 only
B. IP3 only
C. IP1 and IP3 only
D. IP2 only
E. IP1, IP2, IP3, IP4, and IP5
F. IP3 and IP5 only
Selected Answer: B
Question #: 87
Topic #: 1
HOTSPOT
–
You have an Azure virtual network and an on-premises datacenter that connect by using a Site-to-Site VPN tunnel.
You need to ensure that all traffic from the virtual network to the internet is routed through the datacenter.
How should you complete the PowerShell script to configure forced tunneling? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 88
Topic #: 5
SIMULATION
–
Username and password
–
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
–
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
–
You need to ensure that requests for www.relecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net.
To complete this task, sign in to the Azure portal.
Suggestion Answer:
Question #: 89
Topic #: 2
HOTSPOT –
You have an Azure subscription.
You have the on-premises sites shown the following table.
You plan to deploy Azure Virtual WAN.
You are evaluating Virtual WAN Basic and Virtual WAN Standard.
Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 90
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
A subnet named Subnet1 in Vnet1 –
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to Subnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 91
Topic #: 3
You have the Azure environment shown in the exhibit.
VM1 is a virtual machine that has an instance-level public IP address (ILPIP).
Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool.
NAT Gateway uses a public IP address named IP3 that is associated to SubnetA.
VNet1 has a virtual network gateway that has a public IP address named IP4.
When initiating outbound traffic to the internet from VM1, which public address is used?
A. IP1
B. IP2
C. IP3
D. IP4
Selected Answer: C
Question #: 92
Topic #: 5
SIMULATION
–
Username and password
–
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
–
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
–
You need to ensure that the storage12345678 storage account will only accept connections from the hosts on VNET1.
To complete this task, sign in to the Azure portal.
Suggestion Answer:
Question #: 93
Topic #: 2
HOTSPOT –
You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2.
You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit.
You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit.
You have a virtual network link configured as shown in the Virtual Network Link exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 94
Topic #: 1
You are planning an Azure deployment that will contain three virtual networks in the East US Azure region as shown in the following table.
A Site-to-Site VPN will connect Vnet1 to your company’s on-premises network.
You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network. The solution must minimize costs.
What should you recommend for Vnet2 and Vnet3?
A. VNet-to-VNet VPN connections
B. peering
C. service endpoints
D. route tables
Selected Answer: B
Question #: 95
Topic #: 3
You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs will be used to inspect all the traffic within the virtual network.
You need to provide high availability for the NVAs. The solution must minimize administrative effort.
What should you include in the solution?
A. Azure Standard Load Balancer
B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Front Door
Selected Answer: A
Question #: 96
Topic #: 4
You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines.
Which Azure Network Watcher feature should you implement first?
A. NSG flow logs
B. IP flow verify
C. Connection monitor
D. Packet capture
Selected Answer: A
Question #: 97
Topic #: 2
HOTSPOT –
You have two Azure virtual networks named VNet1 and VNet2 in an Azure region that has three availability zones.
You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in VNet1 host an app named App1. The virtual machines in VNet2 host an app named App2.
You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2.
You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements:
✑ A failure of two zones must NOT affect the availability of either App1 or App2.
✑ A failure of two zones must NOT affect the outbound connectivity of either App1 or App2.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 98
Topic #: 4
HOTSPOT –
You have an Azure subscription that contains the virtual machines shown in the following table.
VNet1 and VNet2 are NOT connected to each other.
You need to block traffic from SQL Server 2019 to IIS by using application security groups. The solution must minimize administrative effort.
How should you configure the application security groups? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 99
Topic #: 5
HOTSPOT
–
You have two Azure subscriptions named Subscription1 and Subscription2.
There are no connections between the virtual networks in the two subscriptions.
You configure a private link service as shown in the privatelinkservice1 exhibit. (Click the privatelinkservice1 tab.)
You create a load balancer name in Subscription1 and configure the backend pool shown in the lb1 exhibit. (Click the lb1 tab.)
You create a private endpoint in Subscription2 as shown in the privateendpoint4 exhibit. (Click the privateendpoint4 tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 100
Topic #: 1
Your company has an office in New York.
The company has an Azure subscription that contains the virtual networks shown in the following table.
You need to connect the virtual networks to the office by using ExpressRoute. The solution must meet the following requirements:
• The connection must have up to 1 Gbps of bandwidth.
• The office must have access to all the virtual networks.
• Costs must be minimized.
How many ExpressRoute circuits should be provisioned, and which ExpressRoute SKU should you enable?
A. one ExpressRoute Premium circuit
B. two ExpressRoute Premium circuits
C. four ExpressRoute Standard circuits
D. one ExpressRoute Standard circuit
Selected Answer: A
Question #: 101
Topic #: 3
You have five virtual machines that run Windows Server. Each virtual machine hosts a different web app.
You plan to use an Azure application gateway to provide access to each web app by using a hostname of www.contoso.com and a different URL path for each web app, for example: https://www.contoso.com/app1.
You need to control the flow of traffic based on the URL path.
What should you configure?
A. HTTP settings
B. listeners
C. rules
D. rewrites
Selected Answer: C
Question #: 102
Topic #: 2
HOTSPOT –
You have the Azure resources shown in the following table.
WebApp1 uses the Standard pricing tier.
You need to ensure that WebApp1 can access the virtual machines deployed to Vnet1\Subnet1 and Vnet2\Subnet1. The solution must minimize costs.
What should you create in each virtual network? To answer, select the appropriate options in the answer area.
Hot Area:
Suggestion Answer:
Question #: 103
Topic #: 4
HOTSPOT –
You have an Azure virtual network that contains the subnets shown in the following table.
In.NSG1, you create inbound rules as shown in the following table.
NSG2 has only the default rules configured.
You have the Azure virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 104
Topic #: 1
You have an Azure subscription that contains a virtual network.
You plan to deploy an Azure VPN gateway and 90 Site-to-Site VPN connections. The solution must meet the following requirements:
• Ensure that the Site-to-Site VPN connections remain available if an Azure datacenter fails.
• Minimize costs.
Which gateway SKU should you specify?
A. VpnGw1AZ
B. VpnGw2AZ
C. VpnGw4AZ
D. VpnGw5AZ
Selected Answer: C
Question #: 105
Topic #: 3
You plan to publish a website that will use an FQDN of www.contoso.com. The website will be hosted by using the Azure App Service apps shown in the following table.
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2.
You create a Traffic Manager profile named TMprofile1. TMprofile1 uses the weighted traffic-routing method.
You need to ensure that Traffic Manager routes traffic for www.contoso.com.
Which DNS record should you create?
A. two A records that map www.contoso.com to 131.107.100.1 and 131.107.200.1
B. a CNAME record that maps www.contoso.com to TMprofile1.azurefd.net
C. a CNAME record that maps www.contoso.com to TMprofile1.trafficmanager.net
D. a TXT record that contains a string of as1.contoso.com and as2.contoso.com in the details
Selected Answer: C
Question #: 106
Topic #: 5
You have an Azure subscription that contains an Azure Front Door named FD1.
You plan to deploy an app named App1 by using Azure App Service. Users will access App1 by using FD1.
You need to provide FD1 with access to App1. The solution must meet the following requirements:
• Ensure that users can only access App1 by using FD1.
• Ensure that users cannot access App1 directly from the internet.
What should you create for App1?
A. an access restriction
B. a private endpoint
C. a subnet delegation
D. a service endpoint
Selected Answer: A
Question #: 107
Topic #: 2
HOTSPOT –
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 108
Topic #: 5
HOTSPOT –
You have an Azure subscription that contains the resources shown in the following table.
You purchase a certificate for app1.contoso.com from a public certification authority (CA) and install the certificate on appservice1.
You need to ensure that App1 can be accessed by using a URL of https://app1.contoso.com. The solution must ensure that all the traffic for App1 is routed via FD1.
Which type of DNS record should you create, and where should you store the certificate? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 109
Topic #: 1
You have an Azure subscription that contains the resources shown in the following table.
You create a virtual network named Vnet2 in the West US region.
You plan to enable peering between Vnet1 and Vnet2.
You need to ensure that the virtual machines connected to Vnet2 can connect to VM1 and VM2 via LB1.
What should you do?
A. From the Peerings settings of Vnet2, set Traffic forwarded from remote virtual network to Allow.
B. Change the Floating IP configurations of LB1.
C. From the Peerings settings of Vnet1, set Traffic forwarded from remote virtual network to Allow.
D. Change the SKU of LB1.
Selected Answer: D
Question #: 110
Topic #: 4
You have the Azure virtual networks shown in the following table.
You have the Azure resources shown in the following table.
You need to check latency between the resources by using connection monitors in Azure Network Watcher.
What is the minimum number of connection monitors that you must create?
A. 1
B. 2
C. 3
D. 4
E. 5
Selected Answer: B
Question #: 111
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 112
Topic #: 1
DRAG DROP –
Your on-premises network contains an Active Directory Domain Services (AD DS) domain named contoso.com that has an internal certification authority (CA).
You have an Azure subscription.
You deploy an Azure application gateway named AppGwy1 and perform the following actions:
• Configure an HTTP listener
• Associate a routing rule with the listener
You need to configure AppGwy1 to perform mutual authentication for requests from domain-joined computers to contoso.com.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Suggestion Answer:
Question #: 113
Topic #: 3
HOTSPOT –
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.
You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 114
Topic #: 2
You have a hub-and-spoke topology. The topology includes multiple on-premises locations that connect to a hub virtual network in Azure via ExpressRoute circuits.
You have an Azure Application Gateway named GW1 that provides a single point of ingress from the internet.
You plan to migrate the hub-and-spoke topology to Azure Virtual WAN.
You need to identify which changes must be applied to the existing topology. The solution must ensure that you maintain a single point of ingress from the internet.
Which three changes should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add user-defined routes.
B. Add virtual network peerings.
C. Replace the user-defined routes used by the current topology.
D. Create virtual network connections.
E. Remove the existing virtual network peerings.
F. Redeploy GW1.
Selected Answer: CDE
Question #: 115
Topic #: 4
You have an Azure subscription that contains a user named Admin1 and a resource group named RG1.
RG1 contains an Azure Network Watcher instance named NW1.
You need to ensure that Admin1 can place a lock on NW1. The solution must use the principle of least privilege.
Which role should you assign to Admin1?
A. User Access Administrator
B. Resource Policy Contributor
C. Network Contributor
D. Monitoring Contributor
Selected Answer: A
Question #: 116
Topic #: 5
You have an Azure subscription that contains four virtual machines. The virtual machines host an app named App1.
You deploy an Azure Standard Load Balancer named LB1 to load balance incoming HTTPS requests to App1.
You need to reduce how long it takes for LB1 to stop sending App1 traffic to failed servers. The solution must minimize administrative effort.
What should you modify?
A. the Backend pools settings
B. the Diagnostic settings
C. the Load-balancing rules
D. the Health probes settings
Selected Answer: D
Question #: 117
Topic #: 1
SIMULATION
–
Username and password
–
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username: User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
–
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
–
You are preparing to connect your on-premises network to VNET4 by using a Site-to-Site VPN. The on-premises endpoint of the VPN will be created on a firewall named Firewall1.
The on-premises network has the following configuration:
• internal address range: 10.10.0.0/16
• Firewall1 internal IP address: 10.10.1.1
• Firewall public IP address: 131.107.50.60
BGP is NOT used.
You need to create the object that will provide the IP addressing configuration of the on-premises network to the Site-to-Site VPN. You do NOT need to create a virtual network gateway to complete this task.
To complete this task, sign in to the Azure portal.
Suggestion Answer:
Question #: 118
Topic #: 3
DRAG DROP –
You have an Azure Front Door instance named FrontDoor1.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 119
Topic #: 4
You have a network security group named NSG1.
You need to enable network security group (NS) flow logs for NSG1. The solution must support retention policies.
What should you create first?
A. A standard general-purpose v2 Azure Storage account
B. An Azure Log Analytics workspace
C. A standard general-purpose v1 Azure Storage account
D. A premium Block blobs Azure Storage account
Selected Answer: A
Question #: 120
Topic #: 5
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the following subnets:
• AzureFirewallSubnet
• GatewaySubnet
• Subnet1
• Subnet2
• Subnet3
Subnet2 has a delegation to the Microsoft.Web/serverfarms service.
The subscription contains the resources shown in the following table.
You need to implement an Azure application gateway named AG1 that will be integrated with an Azure Web Application Firewall (WAF). AG1 will be used to publish VMSS1.
To which subnet should you connect AG1?
A. GatewaySubnet
B. AzureFirewallSubnet
C. Subnet2
D. Subnet1
E. Subnet3
Selected Answer: E
